It is currently Sat Jul 22, 2017 9:42 pm


Server 2008 Domain Controller Malware? Please help with HJT

Is your PC infected? Is it running slow? Just can't figure out what's making it sluggish? Here is the place to get some help.

Moderators: liljim, Gecko

Server 2008 Domain Controller Malware? Please help with HJT

Postby eclare82 » Wed Jun 27, 2012 12:22 am

Hi everyone, I have a Domain Controller running Server 2008 (it's a Hyper-V Virtual Machine).

We're having trouble with this machine locking up constantly the past several days, Malwarebytes found items with the quick scan, TDSSKiller found an infection as well, but we can't get a full scan to run as the server locks up.

I have run Hijack This, could someone please assist me with reviewing this for any signs of issues??

I truly appreciate any assistance you can offer.

Thanks,
Ed



Logfile of HijackThis v1.99.1
Scan saved at 7:09:30 PM, on 6/26/2012
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Kaseya\SPDTCH87888209723282\KaUsrTsk.exe
\DC1\User redirected data\eclare\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.1.16.3/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.16.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KASHSPDTCH87888209723282] "C:\Program Files (x86)\Kaseya\SPDTCH87888209723282\KaUsrTsk.exe"
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GBD.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92DF93A-66F6-40B9-957C-29B267B3CBFA}: NameServer = 10.1.16.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GBD.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GBD.local
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30011 (AppHostSvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ClStateBackAsst - Zenith Infotech - C:\PROGRA~2\SAAZOD\clstatebackAsst.exe
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)
O23 - Service: Kaseya Agent (KASPDTCH87888209723282) - Kaseya International Limited - C:\Program Files (x86)\Kaseya\SPDTCH87888209723282\AgentMon.exe
O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Ktvn_SPDTCH87888209723282 - Unknown owner - C:\Program Files (x86)\Kaseya\SPDTCH87888209723282\DesktopAccess\Ktvnserver.exe" -portableservice -servername Ktvn_SPDTCH87888209723282 -inidirectory "C:\Program Files (x86)\Kaseya\SPDTCH87888209723282\DesktopAccess (file missing)
O23 - Service: McAfee ePolicy Orchestrator 4.6.0 Server (MCAFEEAPACHESRV) - Unknown owner - C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: McAfee ePolicy Orchestrator 4.6.0 Event Parser (MCAFEEEVENTPARSERSRV) - McAfee, Inc. - C:\Program Files (x86)\McAfee\ePolicy Orchestrator\EventParser.exe
O23 - Service: McAfee ePolicy Orchestrator 4.6.0 Application Server (MCAFEETOMCATSRV250) - Apache Software Foundation - C:\PROGRA~2\McAfee\EPOLIC~1\Server\bin\tomcat5.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: SQL Server (EPOSERVER) (MSSQL$EPOSERVER) - Unknown owner - C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sEPOSERVER (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: SAAZCore - Zenith Infotech Ltd. - C:\PROGRA~2\SAAZOD\SAAZCore.exe
O23 - Service: SAAZMSMACTL - Zenith Infotech Ltd - C:\PROGRA~2\SAAZOD\\SAAZMSMACTL.EXE
O23 - Service: SAAZScheduler - Zenith Infotech Ltd - C:\PROGRA~2\SAAZOD\\SAAZScheduler.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files (x86)\Zenith\Zenith Infotech\ShadowProtectSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-101 (vmicheartbeat) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-201 (vmickvpexchange) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-301 (vmicshutdown) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-401 (vmictimesync) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-501 (vmicvss) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\Windows\SysWOW64\vsnapvss.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
eclare82
Newbie
Newbie
 
Posts: 1
Joined: Wed Jun 27, 2012 12:12 am
Operating System: Server 2008

Thanks given:0
Thanks received:0
Top

Re: Server 2008 Domain Controller Malware? Please help with

Postby Gecko » Wed Jun 27, 2012 9:18 pm

Hi eclare82,

Please download combofix to your desktop.

Double click combofix.exe and follow the prompts.

If combofix will not start or is ended before the "Blue window" please rename combofix.exe to cbf.exe and try again.

If cbf.exe will not start or is ended, you will have to run cbf.exe from safe mode.
Reboot in to Safe mode:
Restart Windows after you see the BIOS screen and before Windows starts to load.
Start tapping the F8 key. The Windows Advanced Options Menu appears.
Use the Arrow key to ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Do not exit Combofix while it is running you my loose all your personal settings!
Important Note - Do not mouseclick combofix's window while it's running, that may cause it to stall.

When it's done running it will produce a log for you. Please post that log in your next reply.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top


Return to Malware Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron